Incorrect Registry Read Permissions Being Set

delphi package - easy access to security apis
Post Reply
mimar
Posts: 13
Joined: Sat Jul 16, 2005 2:57 pm

Incorrect Registry Read Permissions Being Set

Post by mimar »

It seems setting read permissions on a registry key assigns an incorrect attribute. The KEY_CREATE_LINK is assigned instead of the correct KEY_NOTIFY value.

Is there a possible fix/workaround for this? Can an API be called to resolve the issue, or do we wait for the next madSec update?
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Which code are you using to set read permission?
mimar
Posts: 13
Joined: Sat Jul 16, 2005 2:57 pm

Post by mimar »

I am using the following code:

Code: Select all

acc: IAccount;
sec: ISecurityObject;

sec := RegistrySecurity(...)
AccountCache_Clear;
acc := Account(...);
sec.DAcl.SetFileAccess(acc, false);
sec.DAcl.Flush;
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

SetFileAccess is meant for file accesses, not for registry key accesses. You should do "DeleteItems(acc)" plus "NewItem(...)" instead. This will remove all old ACEs in the ACL for the specified account and then add one new one with exactly the right combination you want.
mimar
Posts: 13
Joined: Sat Jul 16, 2005 2:57 pm

Post by mimar »

I just want to be able to set Read and Write access.
Might it be possible for you to post a code snippet for those tasks?
mimar
Posts: 13
Joined: Sat Jul 16, 2005 2:57 pm

Post by mimar »

I mean, how can I grant a named user Read, or Write access, to a specified key; without damaging existing permissions? (Just like the way the file version works)
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

I'd suggest this:

Use regedit to set the access rights you want to have. Then use madSecurity to enumerate the ACEs to find out which access rights are needed. Afterwards you can use IACL.AddItem to realize exactly this combination of rights.

I'm sorry, but I'm at work now. I can't do all the work for you! :)
mimar
Posts: 13
Joined: Sat Jul 16, 2005 2:57 pm

Post by mimar »

Please, I can find out the required settings myself, but can you show a code snippet so I know what madAPI functions I need to call in which order?

Please :crazy:
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

I already told you. You can use the same code as before, just replace SetFileAccess with "DeleteItems" plus "NewItem".
mimar
Posts: 13
Joined: Sat Jul 16, 2005 2:57 pm

Post by mimar »

So like this?

Code: Select all

acc: IAccount;
sec: ISecurityObject;

sec := RegistrySecurity(...)
AccountCache_Clear;
acc := Account(...);
sec.DAcl.DeleteItems(acc);
sec.DAcl.NewItem(...);
sec.DAcl.Flush;
Also, is it the same way then for all other types of permissions? Do we only have pre-built functions for only files and printers, and have to use above method for registry, shares, and services? :crazy:
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Shares have identical access rights as files/printers have. Services and registry have different rights. And yes, the code looks alright to me.
Post Reply